
EUROPEAN PARLIAMENT 



DIRECTORATE-GENERAL FOR INTERNAL POLICIES 

POLICY DEPARTMENT f 

CITIZENS' RIGHTS AND CONSTITUTIONAL AFFAIRS V* 




Constitutional Affairs 

Justice, Freedom and Security 

Gender Equality 
Legal and Parliamentary Affairs 
Petitions 



The US surveillance 
programmes and their 
impact on EU citizens' 
fundamental rights 




NOTE 




2013 




EUROPEAN PMLKMtNl 



Dl RECTORATE GENERAL FOR I NTERNAL POLI Cl ES 
POLI CY DEPARTMENT C: 

CITIZENS' RIGHTS AND CONSTITUTIONAL AFFAI RS 



Cl VI L LI BERTI ES, J USTI CE AND HOME AFFAI RS 



The US surveillance programmes 
and their impact on EU citizens' 
fundamental rights 



NOTE 



Abstract 

In light of the recent PRI SM- related revelations, this briefing note analyzes 
the impact of US surveillance programmes on European citizens' rights. The 
note explores the scope of surveillance that can be carried out under the US 
FISA Amendments Act 2008, and related practices of the US authorities 
which have very strong implications for EU data sovereignty and the 
protection of European citizens' rights. 



PE 474.405 



EN 



This document was requested by the European Parliament's Committee on Civil Liberties, 
J ustice and Home Affairs. 



AUTHORS 

Mr Caspar BOWDEN (Independent Privacy Researcher) 

Introduction by Prof. Didier BIGO 
(King's College London / 

Director of the Centre d'Etudes sur les Conflits, Liberte et Securite - CCLS, Paris, France). 
Copy-Editing: Dr. Amandine SCHERRER 

(Centre d'Etudes sur les Conflits, Liberte et Securite - CCLS, Paris, France) 

Bibliographical assistance: Wendy Grossman 



RESPONSI BLE ADMI Nl STRATOR 

Mr Alessandro DAVOLI 

Policy Department Citizens' Rights and Constitutional Affairs 
European Parliament 
B-1047 Brussels 

E-mail: alessandro.davoli@europarl.europa.eu 



LINGUISTIC VERSIONS 

Original: EN 



ABOUT THE EDITOR 

To contact the Policy Department or to subscribe to its monthly newsletter please write to: 
poldep-citizensOeuroparl.europa.eu 

Manuscript completed in September 2013. 

Source: European Parliament © European Union, 2013. 

This document is available on the Internet at: 
http://www.europarl.europa.eu/studies 



DISCLAIMER 

The opinions expressed in this document are the sole responsibility of the author and do 
not necessarily represent the official position of the European Parliament. 

Reproduction and translation for non-commercial purposes are authorized, provided the 
source is acknowledged and the publisher is given prior notice and sent a copy. 



The US surveillance programmes and their impact on EU citizens' fundamental rights 



CONTENTS 

LI ST OF ABBREVIATIONS 4 

EXECUTIVE SUMMARY 5 

INTRODUCTION 6 

1. HI STORI CAL BACKGROUND OF US SURVEI LLANCE 10 

1.1 World War 1 1 and the origins of the UKUSA treaties 10 

1.2 ECHELON: the UKUSA communications surveillance nexus 11 

1.3 1975-1978: Watergate and the Church Committee 11 

1.4 The post-9/11 context: extension of intelligence powers 12 

1.5 Edward Snowden's revelations and PRISM 13 

1.5.1 "Upstream" 13 

1.5.2 XKeyscore 13 

1.5.3 BULLRUN 14 

2. NSA PROGRAMMES AND RELATED LEGI SLATI ON: CONTROVERSI ES, 

GAPS AND LOOPHOLES AND I MPLI CATI ONS FOR EU Cl Tl ZENS 16 

2.1 Legal gaps and uncertainties of US privacy law: implications for US citizens and 

residents 16 

2.1.1 The Third Party Doctrine and limitations to the Fourth Amendment 16 

2.1.2 CDRs and the 'Relevance Test' 17 

2.1.3 'Direct Access' to data-centres granted for surveillance purposes? 18 

2.1.4 I ntelligence Agencies' 'Black Budget': scale and costs of US capabilities 19 

2.2 Situation of non-US citizens and residents (non 'USPERs') 19 

2.2.1 The political definitions of 'foreign information intelligence' 19 

2.2.2 Specific powers over communications of non-US persons 20 

2.2.3 The Fourth Amendment does not apply to non-USPERs outside the US 20 

2.2.4 Cloud computing risks for non-US persons 21 

2.2.5 There are no privacy rights recognised by US authorities for non-US persons 

under FISA 23 

2.3 Data export: false solutions and insufficient safeguards 24 

2.3.1 Safe Harbour, BCRs for processors and Cloud Computing 24 

2.3.2 Model Contracts 26 

3. STRATEGIC OPTIONS AND RECOMMENDATIONS FOR THE EUROPEAN 

PARLIAMENT 28 

3.1 Reducing exposure and growing a European Cloud 28 

3.2 Reinstating 'Article 42' 28 

3.3 Whistle-Blowers' Protection and I ncentives 30 

3.4 Institutional Reform 30 

3.5 Data Protection Authorities and Governance 30 

CONCLUSION 33 

REFERENCES 35 

3 



Policy Department C: Citizens' rights and Constitutional Affairs 



LI ST OF ABBREVI ATI ONS 



ACLU 


American Civil Liberties Union 


AUMF 


Authorization to Use Military Force 


CIA 


Central Intelligence Agency 


CNIL 


Comite National pour I'l nformatique et les Libertes 


DP As 


Data Protection Authorities 


EDPS 


European Data Protection Supervisor 


ENISA 


European Network and Information Security Agency 


FAA 


Foreign Intelligence Surveillance Amendments Act (2008) 


FBI 


Federal Bureau of Investigation 


FIVE EYES 


UK, US, Canada, Australia, New Zealand: sharing intelligence under 
UKUSA 


FISA 


Foreign Intelligence Surveillance Act (1978) 


FI SC 


Foreign Intelligence Surveillance Court 


FI SCR 


Foreign Intelligence Surveillance Court of Review 


NSA 


National Security Agency 


PAA 


Protect America Act (2007) 


SHA 


EU-US Safe Flarbour Agreement (2000) 


TIA 


Total Information Awareness 


WP29 


Article 29 Data Protection Working Party 



4 



The US surveillance programmes and their impact on EU citizens' fundamental rights 



EXECUTIVE SUMMARY 

This Briefing note provides the LI BE Committee with background and contextual 
information on PRI SM/FI SA/NSA activities and US surveillance programmes, and their 
specific impact on EU citizens' fundamental rights, including privacy and data protection. 



Prior to the PRISM scandal, European media underestimated this aspect, apparently 
oblivious to the fact that the surveillance activity was primarily directed at the rest-of-the- 
world, and was not targeted at US citizens. The note argues that the scope of surveillance 
under the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 (FAA) has 
very strong implications on EU data sovereignty and the protection of its citizens' rights. 



The first section provides a historical account of US surveillance programmes, 

showing that the US authorities have continuously disregarded the human right to privacy 
of non-Americans. The analysis of various surveillance programmes (Echelon, PRISM) and 
US national security legislation (FISA, PATRIOT and FAA) clearly indicates that surveillance 
activities by the US authorities are conducted without taking into account the rights of non- 
US citizens and residents. In particular, the scope of FAA creates a power of mass- 
surveillance specifically targeted at the data of non-US persons located outside the US, 
including data processed by 'Cloud computing', which eludes EU Data Protection regulation. 



The second section gives an overview of the main legal gaps, loopholes and 
controversies of these programmes and their differing consequences for the 
rights of American and EU citizens. The section unravels the legal provisions governing 
US surveillance programmes and further uncertainties in their application, such as: 

serious limitations to the Fourth Amendment for US citizens 

specific powers over communications and personal data of "non-US persons” 

absence of any cognizable privacy rights for "non-US persons" under FISA 



The section also shows that the accelerating and already widespread use of Cloud 
computing further undermines data protection for EU citizens, and that a review of some of 
the existing and proposed mechanisms that have been put in place to protect EU citizens' 
rights after data export, actually function as loopholes. 



Finally, some strategic options for the European Parliament are developed, and 

related recommendations are suggested in order to improve future EU regulation and to 
provide effective safeguards for protection for EU citizens' rights. 



5 



Policy Department C: Citizens' rights and Constitutional Affairs 



INTRODUCTION 

Background 

This Briefing note aims at providing the LI BE Committee with background and contextual 
information on PRI SM/FI SA/NSA activities and US surveillance programmes and their 
impact on EU citizens' fundamental rights, including privacy and data protection. 

On June 5 th the Washington Post and The Guardian published a secret order made under 
s.215 of the PATRIOT Act requiring the Verizon telephone company to give the NSA details 
of all US domestic and international phone calls, and "on an ongoing basis". On J une 6 th the 
two newspapers revealed the existence of an NSA programme codenamed PRISM that 
accessed data from leading brands of US Internet companies. By the end of the day a 
statement from Adm. Clapper (Director of NSA) officially acknowledged the PRISM 
programme and that it relied on powers under the FISA Amendments Act (FAA) 2008 s.702 
(aka § 1881a). On June 9 th Edward Snowden voluntarily disclosed his identity and a film 
interview with him was released. 

In the European Parliament resolution of 4 July 2013 on the US National Security Agency 
surveillance programme, MEPs expressed serious concern over PRISM and other 
surveillance programmes and strongly condemned spying on EU official representatives and 
called on the US authorities to provide them with full information on these allegations 
without further delay. Inquiries by the Commission 1 , Art. 29 Working Party 2 , and a few MS 
Parliaments are also in progress. 



The problem of transnational mass surveillance and democracy 3 

Snowden's revelations about PRISM show that Cyber mass-surveillance at the transnational 
level induces systemic breaches of fundamental rights. These breaches lead us to question 
the scale of transnational mass surveillance and its implications for our democracies. 

"Our government in its very nature, and our open society in all its instinct, 
under the Constitution and the Bill of Rights automatically outlaws intelligence 
organizations of the kind that have developed in police states” (Allen Dulles, 1963) 4 



"There's been spying for years, there's been surveillance for years, and so 
forth, I 'm not going to pass judgement on that, it's the nature of our society" 

(Eric Schmidt, Executive chairman of Google, 2013) 



These two quotations are distinct in time by 50 years. They differ in the answers but 
address the same central question: how far can democratic societies continue to exist in 
their very nature, if intelligence activities include massive surveillance of populations? For 
Eric Schmidt and according to most of the media reports in the world, the nature of society 



1 European Commissioner - Reding, Viviane (2013), Letter to the Attorney General . Ref. Ares (2013)1935546 - 
10/06/2013, Brussels, 10 June 2013 

2 Article 29 Working Party, Letter from the Chairman to Mrs Reding regarding the PRISM program 13 th August 
2013 

3 Preface by Prof.Didier Bigo 

4 Dulles, Allen Welsh (1963), The Craft of I ntelligence, New York: Harper&Row, p.257. 



6 



The US surveillance programmes and their impact on EU citizens' fundamental rights 



has changed. Technologies of telecommunication, including mobile phones, Internet, 
satellites and more generally all data which can be digitalised and integrated into platforms, 
have given the possibilities of gathering unprecedented amount of data, to keep them, to 
organise them, to search them. If the technologies exist, then they have to be used: "it is 
not possible to go against the flow". Therefore it is not a surprise to discover that 
programmes run by intelligence services use these techniques at their maximum 
possibilities and in secrecy. The assumption is that if everyone else with these technical 
capabilities uses them, then we should too. If not, it would be naivety or even worse: a 
defeat endangering the national security of a country by letting another country benefit 
from the possibilities opened by these technologies. 

However, should we have to live with this extension of espionage to massive surveillance of 
populations and accept it as "a fact"? Fortunately, totalitarian regimes have more or less 
disappeared before the full development of theses capacities. Today, in democratic 
regimes, when these technologies are used, they are limited on purpose and are mainly 
centred on antiterrorism collaboration, in order to prevent attempts of attacks. According to 
Intelligence Services worldwide, these technologies are not endangering civil liberties; they 
are the best way to protect the citizen from global terrorism. Intelligence services screen 
suspicious behaviours and exchange of information occurs at the international level. Only 
"real suspects" are, in principle, under surveillance. From this perspective, far from being a 
"shame", the revelations of programmes like PRISM could be seen as a proof of a good 
level of collaboration, which has eventually to be enhanced in the future against numerous 
forms of violence. 

In front of this "recital" given by the most important authorities of the different intelligence 
services and the antiterrorism agencies in the US, in the UK, in France, and at the EU level, 
it is critical to discuss the supposedly new nature of our societies. The impact of 
technological transformations in democratic societies, how to use these technologies as 
resources for both information exchange and competition over information (a key element 
of a globalised world), what are the rights of the different governments in processing them: 
these are the core questions. 

As stated by Allen Dulles above, justifications given by intelligence services work in favour 
of a police state and against the very nature of an open society living in democratic 
regimes. Proponents of an open society insist that, against the previous trend, technologies 
ought not to drive human actions; they have to be used in reasonable ways and under the 
Rule of Law. The mass scaling has to be contained. Constitutional provisions have to be 
applied, and the presumption of innocence is applicable for all human beings (not only 
citizens). If suspicions exist, they have to be related to certain forms of crime, and not 
marginal behaviours or life styles. Hence, what is at stake here is not the mechanisms by 
which antiterrorism laws and activities have to be regulated at the transatlantic level, even 
if it is a subset of the question. It is not even the question of espionage activities between 
different governments. It is the question of the nature, the scale, and the depth of 
surveillance that can be tolerated in and between democracies. 

Snowden's revelations highlight numerous breaches of fundamental rights. This affects in 
priority all the persons whose data have been extracted via surveillance of communications, 
digital cables or cloud computing technologies, as soon as they are under a category of 
suspicion, or of some interest for foreign intelligence purposes. However, all these persons 
are not protected in the same way, especially if they are not US citizens. The EU citizen is 
therefore particularly fragile in this configuration connecting US intelligence 
services, private companies that provide services at the global level and the 
ownership they can exercise over their data. It is clear that if EU citizens do not have 
the same level of protections as the US citizens, because of the practices of the US 
intelligence services and the lack of effective protections, they will become the first victims 
of these systems. Freedom of thought, opinion, expression and of the press are cardinal 
values that have to be preserved. Any citizen of the EU has the right to have a private life, 



7 



Policy Department C: Citizens' rights and Constitutional Affairs 



i.e, a life which is not fully under the surveillance of any state apparatus. The investigative 
eyes of any government have to be strongly reminded of distinctions between private and 
public activities, between what is a crime and what is simply a different life-style. By 
gathering massive data on life-styles in order to elaborate patterns and profiles concerning 
political attitudes and economic choices, PRISM seems to have allowed an unprecedented 
scale and depth in intelligence gathering, which goes beyond counter-terrorism and beyond 
espionage activities carried out by liberal regimes in the past. This may lead towards an 
illegal form of Total Information Awareness where data of millions of people are subject to 
collection and manipulation by the NSA. 

This note wants to assess this question of the craft of intelligence and its necessary limits in 
democracy and between them. As we will see, through the documents delivered by 
Snowden, the scale of the PRISM programme is global; its depth reaches the digital data of 
large groups of populations and breaches the fundamental rights of large groups of 
populations, especially EU citizens. The EU institutions have therefore the right and duty to 
examine this emergence of cyber mass-surveillance and how it affects the fundamental 
rights of the EU citizen abroad and at home. 



Privacy governance: EU/ US competing models 

A careful analysis of US privacy laws compared to the EU Data Protection framework shows 
that the former allows few practical options for the individual to live their lives with self- 
determination over their personal data. However a core effect of Data Protection law is that 
if data is copied from one computer to another, then providing the right legal conditions for 
transfer exist, the individual cannot object on the grounds that their privacy risk increases 
through every such proliferation of "their" data 5 . This holds true if the data is copied onto a 
thousand machines in one organization, or spread onward to a thousand organisations, or 
to a different legal regime in a Third Country. The individual cannot stop this once they lose 
possession of their data, whereas for example if the data was "intellectual property", then a 
license to reproduce the data would be necessary by permission. We are all the authors of 
our lives, and it seems increasingly anomalous that Internet companies lay claim to 
property rights in the patterns of data minutely recording our thoughts and behaviour, yet 
ask the people who produce this data to sacrifice their autonomy and take privacy on trust. 

The EU Data Protection framework in theory is categorically better than the US for privacy, 
but in practice it is hard to find any real-world Internet services that implement DP 
principles by design, conveniently and securely. 

Privacy governance around the world has evolved around two competing models. Europe 
made some rights of individuals inalienable and assigned responsibilities to Data Controller 
organizations, whereas in the United States companies inserted waivers of rights into 
Terms and Conditions 6 contracts allowing exploitation of data in exhaustive ways (known as 
the ‘Notice-and-Choice" principle). 

The PRISM crisis arose directly from the emerging dominance over the last decade of "free" 
services operated from remote warehouses full of computer servers, by companies 
predominantly based in US jurisdiction, that has become known as Cloud computing. To 
explain this relationship we must explore details of the US framework of national security 
law. 



5 Hondius, Frits W (1975), Emerging data protection in Europe. North-Holland Pub. Co. 

6 cf. the documentary "Terms and Conditions May Apply" (2013, USA) dir. Cullen Holback. 



8 



The US surveillance programmes and their impact on EU citizens' fundamental rights 



Scope and structure 

It is striking that since the first reports of "warrantless wiretapping" in the last decade, and 
until quite recently in the PRI SM-related revelations, European media have covered US 
surveillance controversies as if these were purely parochial arguments about US civil 
liberties, apparently oblivious that the surveillance activity was directed at the rest-of- 
the-world. 

This note aims to document this under-appreciated aspect. It will show that the scope of 
surveillance conducted under a change in the FISA law in 2008 extended its scope beyond 
interception of communications to include any data in public cloud computing as well. This 
has very strong implications for the EU's continued sovereignty over data and the 
protection of its citizens' rights. The aim is here to provide a guide to how surveillance of 
Internet communications by the US government developed, and how this affects the human 
right to privacy, integrating historical, technical, and policy analysis from the perspective of 
the individual EU citizen 7 . The Note will therefore cover the following: 



(I) An account of US foreign surveillance history and current known state 

(II) An overview of the main legal controversies both in US terms, and the effects 
and consequences for EU citizens' rights 

(III) Strategic options for the European Parliament and recommendations 



7 New stories based on Snowden's material were breaking throughout the drafting of this Note and whilst every 
effort has been made to ensure accuracy, it is possible that further revelations could change the interpretations 
given. 



9 



Policy Department C: Citizens' rights and Constitutional Affairs 



1. HI STORI CAL BACKGROUND OF US SURVEI LLANCE 

KEY FINDINGS 

• A historical account of US various surveillance programmes (precursors to Echelon, 
PRISM, etc.) and US legislation in the field of surveillance (FISA and FAA) shows 
that the US has continuously disregarded the fundamental rights of non-US 
citizens. 

• In Particular, the scope of FAA coupled with expressly 'political' definitions of what 
constitutes 'foreign intelligence information' creates a power of mass- 
surveillance specifically targeted at the data of non-US persons located 
outside the US, which eludes effective control by current and proposed EU Data 
Protection regulation. 



A historical account of US surveillance programmes provides the context for their 
interpretation as the latest phase of a system of US exceptionalism, with origins in World 
War II. These programmes constitute the greatest contemporary challenge to data 
protection, because they incorporated arbitrary discriminatory standards of treatment 
strictly according to nationality and geopolitical alliances, which are secret and incompatible 
with the rule of law under EU structures. 

1.1. World War 1 1 and the origins of the UKUSA treaties 

In the 1970s there were the first disclosures of the extent of Allied success in WWII 
cryptanalysis. The world discovered the secret history of Bletchley Park (aka Station X), 
Churchill's signals intelligence headquarters. The story of post-war secret intelligence 
partnerships at the international level is intertwined with the personal trajectory of Alan 
Turing, a great mathematician and co-founder of computer science, who was critical to the 
effort to design automated machines which could feasibly solve ciphers generated by 
machine, such as Enigma (used for many Nazi Germany communications). 

Alan Turing travelled to the US in 1942 to supervise US Navy mass- production of the 
decryption machines (called 'bombes') for the Atlantic war, and to review work on a new 
scrambler telephone at Bell Laboratories to be used for communications between Pleads of 
Government. Unfortunately Turing was not equipped with any letters of authority, so he 
was detained by US immigration as suspicious until rescued by UK officials in New York. 
What was initially supposed to be a two-week trip turned into months, as no precedent 
existed to grant even a foreign ally security clearance to the laboratories he was supposed 
to visit. There followed several months of fraught UK diplomacy and turf wars between the 
US Navy and Army, since the latter had no "need-to-know" about Ultra (the name given to 
intelligence produced from decryption at Bletchley). The UK wanted as few people as 
possible in on the secret, and the disharmony thus experienced inside the US military 
security hierarchies became known as "the Turing Affair". 

These were the origins of the post-war secret intelligence partnership between the US and 
UK as "first" parties, Canada/ Australia/New Zealand as second parties, and other nations 
with lesser access as third parties. The treaty is named UKUSA, and we know the details 
above about its genesis because in 2010 the US National Security Agency declassified the 
unredacted text of UKUSA treaties 8 up until the 1950s with related correspondence (the 



8 UKUSA Agreement Release 1940-1956 Early Papers Concerning US-UK Agreement - 1940-1944 . NSA/CSS 



10 



